Website been hacked

Do you have shell access or some way to modify your files? If so, check your .htaccess file at the web root. Look for redirects there. Also, make sure that only you have write access to that file.

Also, if you have ftp access, try renaming files that you think may be causing this – it could be the .htaccess, it could be another file.

And when you regain control, CHANGE ALL YOUR PASSWORDS

I can get to my files via Cpanel and the .htaccess file in the public_html has no redirect. That’s what I get:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

SetEnvIfNoCase Referer “^https://sofv.uni.cc/” locally_linked=1
SetEnvIfNoCase Referer “^https://sofv.uni.cc/” locally_linked=1
SetEnvIfNoCase Referer “^$” locally_linked=1

ErrorDocument 401 /404.html
ErrorDocument 402 /404.html
ErrorDocument 403 /404.html
ErrorDocument 404 /404.html

<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName https://www.sofv.uni.cc
AuthUserFile /home/sofv/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/sofv/public_html/_vti_pvt/service.grp

<Files 403.shtml>
order allow,deny
allow from all
</Files>

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://catharsis.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://catharsis.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://gaebe.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://gaebe.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://glenn.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://glenn.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://sofv.cjb.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://sofv.cjb.net$ [NC]
RewriteCond %{HTTP_REFERER} !^https://sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.catharsis.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.catharsis.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.gaebe.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.gaebe.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.glenn.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.glenn.sofv.uni.cc$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.sofv.cjb.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.sofv.cjb.net$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.sofv.uni.cc/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.sofv.uni.cc$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|mp3)$ – [F,NC]
deny from 65.75.165.80
deny from 195.225.176.30

It might not be the .htaccess – you can set up redirects in any files.

I can see your site – what exactly do I need to do to get redirected ?

hmm…. Well, right now it seems to work fine, but there’s still two of the subdomains that’s not accessible. I’m assuming that it’s because I banned the IP of the 2 websites being redirected to. But over the past two days, I have been able to access the website on and off. At moments, it seems fine (like now) and then it gets redirected again.

You don’t have to actually do anything to get redirected. When I typed the domain in the address bar, the page either get automatically redirected, and my antivirus catch a whole load of trojan files, or I get to see the suspended page by my webhost.

Hmm….if this were mine, I’d backup everything and then start deleting files. You could get the files in your machine, scan them, open them and then rebuild the site ?

The two subdomains still inacessible is https://glenn.sofv.uni.cc and https://catharsis.sofv.uni.cc

Do you mean scan with antivirus? I could download the files on my computer. Should I scan the databases too? Also, I’m not sure if there’s actually a virus on *my* files, seeing as the virus scan on the domain came off clean… I’m not sure if the antivirus could catch something like a redirect… =(

And what are exactly should I be looking in the files?

If this were my site, I would download all the files to my computer.
I would then delete everything from the server.
I’d upload a single page explaining the downtime.

I would then scan everything on your machine, and open up every page of code. Once I was satisfied it was all clean – doing it section by section – I would reupload.

But:
– I would change every single password that you use on that server and if others have acess, change theirs too
– I would make sure that permissions on all files were as low as possible (max 755)

Hosts never really help out in situations like this, they just close you down – as you have seen.

As for viruses ? Not sure – they could be being remotely loaded.

Either way, if your site has been hacked, you need to do something.

Ok. Thanks. I need to do something, that’s for sure. ?? Is it possible for someone to do this without having access to my files?